PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

6 Things Not to Do After a Data Breach

If your business IT security has been breached there are several things you should do immediately. However, there are also a number of things you should strenuously avoid. We discuss six things you absolutely shouldn't do if the bad guys target your servers.

Maintaining and enforcing IT security is something we've covered from several angles, especially how-to and evolving security trends, and that's certainly information you should thoroughly digest. Additionally, you should make sure your business is well equipped to protect and defend itself from cyber attack, especially via IT-grade endpoint protection and granular identity management and access control measures. A solid and tested data backup process is a must-have, too. Unfortunately, the playbook for a data breach keeps changing, which means some of your actions during a disaster could be as harmful as they are helpful. That's where this piece comes in.

In this article, we discuss what companies should avoid doing once they realize their systems have been breached. We spoke to several experts from security companies and industry analysis firms to better understand the potential pitfalls and disaster scenarios that develop in the wake of cyberattacks.

1. Do Not Improvise

How We Test Security Software

In the event of an attack, your first instinct will tell you to begin the process of rectifying the situation. This may include protecting the endpoints that have been targeted or reverting to previous backups to close up the entry point used by your attackers. Unfortunately, if you hadn't previous developed a strategy, then whatever hasty decisions you make after an attack could worsen the situation.

"The first thing you should not do after a breach is create your response on the fly," said Mark Nunnikhoven, Vice President of Cloud Research at cyber security solution provider Trend Micro. "A critical part of your incident response plan is preparation. Key contacts should be mapped out ahead of time and stored digitally. It should also be available in hard copy in case of a catastrophic breach. When responding to a breach, the last thing you need to be doing is trying to figure out who is responsible for what actions and who can authorize various responses."

Ermis Sfakiyanudis, President and CEO of data protection services company Trivalent, agrees with this approach. He said it's critical that companies "do not freak out" after they've been hit by a breach. "While unpreparedness in the face of a data breach can cause irreparable damage to a company, panic and disorganization can also be extremely detrimental," he explained. "It is critical that a breached company not stray from its incident response plan, which should include identifying the suspected cause of the incident as a first step. For example, was the breach caused by a successful ransomware attack, malware on the system, a firewall with an open port, outdated software, or unintentional insider threat? Next, isolate the effected system and eradicate the cause of the breach to ensure your system is out of danger."

Sfakiyanudis said it's vital that companies ask for help when they're in over their heads. "If you determine that a breach has indeed occurred following your internal investigation, bring in third-party expertise to help handle and mitigate the fallout," he said. "This includes legal counsel, outside investigators who can conduct a thorough forensic investigation, and public relations and communication experts who can create strategy and communicate to the media on your behalf.

"With this combined expert guidance, organizations can remain calm through the chaos, identifying what vulnerabilities caused the data breach, remediating so the issue doesn't happen again in the future, and ensuring their response to affected customers is appropriate and timely. They can also work with their legal counsel to determine if and when law enforcement should be notified."

2. Do Not Go Silent

Security Breach

Once you've been attacked, it's comforting to think that no one outside of your inner circle knows what just happened. Unfortunately, the risk here isn't worth the reward. You'll want to communicate with staffers, vendors, and customers to let everyone know what has been accessed, what you did to remedy the situation, and what plans you intend to take to ensure no similar attacks occur in the future. "Don't ignore your own employees," advised Heidi Shey, Senior Analyst of Security & Risk at Forrester Research. "You need to communicate with your employees about the event, and provide guidance for your employees about what to do or say if they asked about the breach."

Shey, like Sfakiyanudis, said you may want to look into hiring a public relations team to help control the messaging behind your response. This is especially true for large and expensive consumer-facing data breaches. "Ideally, you'd want such a provider identified in advance as a part of your incident response planning so you can be ready to kick off your response," she explained.

Just because you're being proactive about notifying the public that you've been breached, it doesn't mean that you can start issuing wild statements and proclamations. For example, when toymaker VTech was breached, photos of children and chat logs were accessed by a hacker. After the situation had died down, the toymaker changed its Terms of Service to relinquish its responsibility in the event of a breach. Needless to say, customers were not happy. "You don't want to look like you're resorting to hiding behind legal means, whether that's in avoiding liability or controlling the narrative," said Shey. "Better to have a breach response and crisis management plan in place to help with breach-related communications."

3. Do Not Make False or Misleading Statements

How to Be Interesting on Social Media (Without Getting Fired)

This is an obvious one but you'll want to be as accurate and honest as possible when addressing the public. This is beneficial to your brand, but it's also beneficial to how much money you'll recoup from your cyber-insurance policy should you have one. "Don't issue public statements without consideration for the implications of what you're saying and how you sound," said Nunnikoven.

"Was it really a 'sophisticated' attack? Labeling it as such doesn't necessarily make it true," he continued. "Does your CEO really need to call this an 'act of terrorism'? Have you read the fine print of your cyber-insurance policy to understand exclusions?"

Nunnikhoven recommends crafting messages that are "no-bull, frequent, and which clearly state actions that are being taken and those that need to be taken." Trying to spin the situation, he said, tends to make things worse. "When users hear about a breach from a third party, it immediately erodes hard-won trust," he explained. "Get out in front of the situation and stay in front, with a steady stream of concise communications in all channels where you're already active."

4. Remember Customer Service

Customer Support

If your data breach affects an online service, your customers' experience, or some other aspect of your business that might have customers sending you inquiries, make sure to focus on this as a separate and important issue. Ignoring your customers' problems or even overtly attempting to turn their bad luck into your gain can quickly turn a serious data breach into a nightmarish loss of business and revenue.

Taking the Equifax breach as an example, the company originally told customers they could have a year of free credit reporting if only they wouldn't sue. It even tried to turn the breach into a profit center when it wanted to charge customers extra if they asked to have their reports frozen. That was a mistake, and it hurt the company's customer relationships on a long-term basis. What the company should have done was place its customers first and simply offered all of them unconditional reporting, maybe even at no-charge, for the same time period to emphasize their commitment to keeping customers safe.

5. Do Not Close Incidents Too Soon

2016 HR Tech Forecast: Copycats, Data Analytics, Wearables & More

You've closed your corrupted endpoints. You've contacted your employees and customers. You've recovered all of your data. The clouds have parted and a ray of sunshine has cascaded onto your desk. Not so fast. Although it may seem as if your crisis has ended, you'll want to continue to aggressively and proactively monitor your network to ensure there are no follow-up attacks.

"There is a huge amount of pressure to restore services and recover after a breach," said Nunnikhoven. "Attackers move quickly through networks once they gain a foothold, so it's hard to make a concrete determination that you've addressed the entire issue. Staying diligent and monitoring more aggressively is an important step until you're sure the organization is in the clear."

Sfakiyanudis agrees with this assessment. "After a data breach is resolved and regular business operations resume, do not assume the same technology and plans you had in place pre-breach will be sufficient," he said. "There are gaps in your security strategy that were exploited and, even after these gaps are addressed, it doesn't mean there won't be more in the future. In order to take a more proactive approach to data protection moving forward, treat your data breach response plan as a living document. As individuals change roles and the organization evolves via mergers, acquisitions, etc., the plan needs to change as well."

6. Do Not Forget to Investigate

How We Test Security Software

"When investigating a breach, document everything," said Sfakiyanudis. "Gathering information on an incident is critical in validating that a breach occurred, what systems and data were impacted, and how mitigation or remediation was addressed. Log results of investigations through data capture and analysis so they are available for review post-mortem.

"Be sure to also interview anyone involved and carefully document their responses," he continued. "Creating detailed reports with disk images, as well as details on who, what, where, and when the incident occurred, will help you implement any new or missing risk mitigation or data protection measures."

Such measures are obviously for possible legal consequences after the fact, but that's not the only reason to investigate an attack. Finding out who was responsible and who was affected is key knowledge for the lawyers, and should certainly be investigated. But how the breach happened and what was targeted is key information for IT and your security staff. What part of the perimeter needs improvement and what portions of your data are (apparently) valuable to ne'er-do-wells? Make sure you investigate all valuable angles to this incident and make sure your investigators know that right from the start.

If your company is too analog to conduct this analysis on its own, you'll probably want to hire an external team to conduct this investigation for you (as Sfakiyanudis mentioned earlier). Take notes on the search process as well. Note what services you were offered, which vendors you spoke to, and whether or not you were happy with the investigation process. This information will help you determine whether or not to stick with your vendor, choose a new vendor, or hire in-house staff who's capable of conducting these processes should your company be unlucky enough to suffer a second breach.

About Juan Martinez